Not Every Incident Causes Damage. but That Doesn’t Mean It’s Not Worth Talking About.
We’ve gotten (reasonably) good at tracking Security Incidents - the ones that “count,” that cause damage, that trigger IR playbooks and postmortems.
But what about the near-misses?
- The misconfiguration caught during routine review
- The phishing email someone actually reported, before it fooled anyone
- The engineer who noticed a hardcoded key just before merging to prod
- The “nothing happened… but it could have” moments
These aren’t footnotes—they’re warning shots.
In other disciplines, mostly those with a strong relation to the #Safety domain (e.g., aviation, medicine, manufacturing), near-miss reporting is a mature, institutionalized practice. In infosec? It’s still wildly underdeveloped.
Why?
Because near-miss reporting is:
- Culturally hard (it feels like admitting failure)
- Operationally ambiguous (what even qualifies?)
- Rarely rewarded (no fire to put out = no attention)
But if we only learn from breaches, we’re missing 90% of the puzzle.
We need better:
- Feedback loops for “almost incidents”
- Psychological safety to report close calls
- Shared repositories of lessons learned—before they hurt us
A robust near-miss culture won’t just prevent tomorrow’s breach - it builds a more mature, introspective security org.
So here’s the nudge: If your team isn’t talking about the ones that didn’t happen… start:
- Start by identifying near-miss scenarios tied to high-priority risks. Then figure out how you’d detect them early.
- Provide communication channels for near-miss reporting and consider allowing for anonymous submissions.
- Establish blame-free post-mortems. Nothing has gone wrong yet, and this is a chance to prevent the next near-miss from becoming an incident.
- Finally: Use your new visibility into this specific type of near-miss to define a Key Risk Indicator. This will provide additional data for your risk analysis (and maybe allow you to move towards risk quantification) and risk communication.
Does your team track near-misses? If so—how do you make them count?